From a GDPR perspective, data controllers are required to determine whether their processing activities, and the potential risks to data subjects that result, are covered by the security measures currently implemented. In this regard, the regulation does not specify the security measures (or the minimum technical standards of those security measures) that companies must implement to be considered compliant with the current regulation. The regulation merely establishes an obligation for companies to assess and decide what types of measures must be implemented to comply with the requirements of the GDPR and to ensure that all necessary precautions are taken to minimize the risk of data breaches and leaks.
Most organizations have implemented comprehensive cyber security and data protection technical measures, but there is no shortage of new breaches day in and day out to the detriment of millions of users. Increasingly “sophisticated” attacks are being carried out by hackers who have learned to evade even the most daring defense systems. It’s no exaggeration to think that every organization must operate under the assumption that its IT infrastructure is constantly under attack and has potentially already been compromised in a variety of ways. Not to mention that the timeframe for breach notification under the GDPR is just 72 hours according to a well-established practice. Therefore, it is necessary for organizations to have technology solutions that can provide visibility across the entire network to detect and identify the extent of a compromise and enable a quick and effective response. It is essential that organizations continue to invest in threat prediction and prevention, including focusing on acquiring advanced 24/7 incident detection and response capabilities.
By equipping yourself with the right people, processes and technology controls, you can best protect your business from accidental or malicious data breaches. By implementing a remediation roadmap and protecting all personal data, you can reduce the likelihood and potential negative effects of a data breach. The penalties for not complying with the GDPR are well known, but it’s still not very clear that a data breach has far-reaching consequences in the form of revenue shrinkage, image damage, reduced productivity, and so on.
In all of this picture, one thing you need to be well aware of is that cyber security is moving at breakneck speed to keep up with hackers who are constantly developing new tactics to breach defenses. Cyber security is essentially about predicting and preventing breaches, detecting those that do occur and reacting intelligently to minimize their impact. In concrete terms, it’s about combining human skills with dedicated software, elements that go to improve each other: behind every attack there is a person and for this reason even at the base of the defense you need people able to thinklike a hacker would, reactto situations the way technology can’t, and educateautomated technology to make it smarter and smarter.
Sara Avanzi